On Aug 29, 1:17 pm, dave b <db.pub.m...@gmail.com> wrote: > On 29 August 2010 08:28, Steve Holden <holden...@gmail.com> wrote: > > > On 8/28/2010 6:10 PM, Graham Dumpleton wrote: > >> On Aug 28, 11:21 pm, dave b <db.pub.m...@gmail.com> wrote: > >>>>>> So obviously my proposed attack is to simply say "content length is > >>>>>> tiny" and "this file is actually HUGE". > > [...] > >> All up, I would suggest you are getting worked up over nothing. > > +1 > > Yes I have :) it "works for me tm". > Also, you have to consider the other problem. If the file is > 2.5 mb > it can be put in /tmp and this has no size limits which again is going > to make the system slower and can be used to attack it? in either case > there seem to be real protections against this in django core as far > as I can see.
Use Apache/mod_wsgi and you can say: LimitRequestBody 1000000 and Apache/mod_wsgi will give back a HTTP_REQUEST_ENTITY_TOO_LARGE error when it goes over that size before it even passes the request to Django and even before any of the request content is read by Apache. So, add the protections where most appropriate if you want to outright block requests with large content. If your issue is efficient handling of large posts, where you do want to handle them, then that is an issue for Django. Note that other Apache modules by which you can host Django may not work properly in honouring LimitRequestBody directive of Apache. The mod_python module for example doesn't really get it right, causing an exception when request content tries to be read by Django application, resulting in a malformed error response. Graham -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
